Page 4 - 3GPP_Highlights_Issue_5_WEB
P. 4
TECHNICAL HIGHLIGHTS
AUTHENTICATION AND
KEY MANAGEMENT FOR
APPLICATIONS (AKMA) IN 5G
By Suresh Nair, 3GPP Working
Group SA3 Chair, Saurabh Khare &
Jing Ping (Nokia)
3GPP have introduced many novel security features in 5G. These Applications (AKMA)’, to enable applications to leverage the
security features address the need to enhance the existing authentication of the UE performed by the PLMN and to use it
4G security in different domains, such as access stratum for further authentication and authorization by an application
(AS) between the UE and the base station or the Non Access and to bootstrap the necessary application security keys to
Stratum (NAS) between the UE and the AMF, secure the PLMN the UE.
5G Core interface involving multiple network Functions (NFs) A full description of the AKMA feature is not intended here. Only
which use a Service Based Architecture (SBA) interface or the a short description of the feature and its unique benefits are
end to end interface between the UE and the UDM. 3GPP also briefly mentioned. A full technical specification is contained in
defined security procedures for new industry segments and 3GPP TS 33.535.
vertical markets such as Network Slicing, Non Public Networks
(NPN), inter PLMN roaming, etc. One of the new security
features defined is ‘Authentication and Key Management for
Primary Authentication of the UE and AKMA: KAUSF
When a UE registers with the PLMN for the first time, the AUSF ME
network performs a primary authentication of the UE. Only HPLMN KAKMA
after the successful primary authentication of the UE, the UE is AAnF ME
authorized for additional network services. 3GPP has specified
two protocols 5G-AKA and EAP-AKA’ for primary authentication, KAF
both of which can be executed over 3GPP access and non- AF ME
3GPP access. In the primary authentication, the subscription
credentials and the shared secret stored in the USIM of the UE Figure-1: AKMA key heirarchy
and the same stored in the UDM/UDR of the operator network
is verified. Please note that in 5G, unlike in earlier 3G and 4G, the from the KAUSF. The radio connection between the UE and the
subscription permanent identifier SUPI is encrypted and sent to base station is secured using the derived access stratum (AS)
the UDM/UDR as a concealed subscription permanent identifier keys and the connection between the UE and core network
(SUCI). At the end of a successful primary authentication, the is secured using the derived non access stratum (NAS) keys.
UE is admitted to network and the connection is secured using The availability of the key KAUSF at the AUSF and the UE, as a
the derived session keys. In 5G, a new security network function, result of the successful primary authentication has become an
Authentication Server Function (AUSF) has been introduced in advantage since this key could be used to generate further keys
the 5G core (5GC) to manage the UE authentication using the that could be bootstrapped to secure different applications.
SUCI or the SUPI and to manage the root session key KAUSF. AKMA key hierarchy as specified in TS 33.535 is shown in figure-1.
The AUSF stores the root session key KAUSF and further keys are
derived from this key. The UE and network derive further keys
From the key KAUSF, an AKMA specific key KAKMA is derived. To secure individual applications,
an application specific key KAF is derived from the KAKMA.
AKMA Architecture:
UDM UDM
In 4G, 3GPP defined the Generic Bootstrapping Architecture
N13 N13
N61N 62 N61 (GBA) in TS 33.220 to bootstrap keys to secure the application
AUSF AAnF AF AUSF AAnF AF
between the UE and an application server, after authenticating
N12 N12 N63
N33 the UE using LTE-AKA protocol. A similar approach is taken in
AMF Ua* AMF Ua*
N1 NEF AKMA, but because of the 5G core service-based architecture, the
N1
N2 N2 AKMA architecture becomes entirely different compared to GBA.
(R)AN UE (R)AN UE
(a) (b) Figure-2: AKMA Architecture in reference point representation
for (a) internal AFs and (b) external AFs
|
04 3GP P Highlights n e w slet t er
